AWS IAM Roles Introduction
1. Introduction
AWS Identity and Access Management (IAM) Roles are a critical part of AWS security, allowing you to define permissions and access controls for AWS resources securely. Unlike IAM users, roles are intended to be assumed by trusted entities such as AWS services, IAM users, or external users.
2. Key Concepts
- Trust Policy: A JSON document that defines who can assume the role.
- Permissions Policy: A set of permissions that define what actions are allowed or denied.
- Session Duration: The length of time for which the temporary credentials are valid (default is 1 hour).
- AssumeRole API: The API call used to assume a role and obtain temporary security credentials.
3. Creating IAM Roles
To create an IAM role, follow these steps:
- Sign in to the AWS Management Console.
- Navigate to the IAM Dashboard.
- Click on "Roles" in the sidebar, then click "Create role".
- Select the trusted entity (e.g., AWS service, another AWS account).
- Attach policies that grant permissions.
- Review and create the role.
Example: Creating a Role using AWS CLI
aws iam create-role --role-name MyRole --assume-role-policy-document file://trust-policy.json
Ensure that trust-policy.json contains the appropriate trust policy in JSON format.
4. Best Practices
- Use least privilege: Grant only necessary permissions.
- Regularly rotate IAM roles and policies.
- Use roles for applications that run on EC2 instances.
- Monitor role usage with AWS CloudTrail for auditing.
5. FAQ
What is the difference between IAM users and IAM roles?
IAM users are permanent identities with long-term credentials, while IAM roles are temporary identities that can be assumed by trusted entities.
Can I assign multiple policies to a single IAM role?
Yes, you can attach multiple policies to an IAM role, providing a flexible way to manage permissions.
How long do temporary credentials last?
Temporary credentials are valid for a specific duration, which can be configured up to a maximum of 12 hours.